Closed
Bug 468538
Opened 16 years ago
Closed 16 years ago
Crash [@ nsParser::ParseFragment] setting innerHTML in mixed-content document
Categories
(Core :: DOM: HTML Parser, defect)
Core
DOM: HTML Parser
Tracking
()
VERIFIED
FIXED
mozilla1.9.2a1
People
(Reporter: jruderman, Assigned: bent.mozilla)
References
Details
(6 keywords, Whiteboard: [sg:dos] null deref)
Crash Data
Attachments
(3 files, 1 obsolete file)
|
384 bytes,
application/xhtml+xml
|
Details | |
|
1.16 KB,
patch
|
mrbkap
:
review+
mrbkap
:
superreview+
|
Details | Diff | Splinter Review |
|
1.36 KB,
patch
|
samuel.sidler+old
:
approval1.9.0.11+
|
Details | Diff | Splinter Review |
ML Parsing Error: prefix not bound to a namespace
Location:
Line Number 1, Column 1:
<xul:box><div xmlns="http://www.w3.org/1999/xhtml">
^
###!!! ASSERTION: ParseFragment requires a fragment content sink: 'fragSink', file /Users/jruderman/central/parser/htmlparser/src/nsParser.cpp, line 2073
###!!! ASSERTION: You can't dereference a NULL nsCOMPtr with operator->().: 'mRawPtr != 0', file ../../../dist/include/xpcom/nsCOMPtr.h, line 796
Regression from bug 460437, perhaps?
|
Assignee | |
Comment 1•16 years ago
|
||
Most likely.
Assignee: nobody → bent.mozilla
Status: NEW → ASSIGNED
Flags: blocking1.9.1?
|
|
Assignee | |
Comment 2•16 years ago
|
||
So... This fixes the crash. But it's kinda ugly.
Basically Parse() is failing but returning NS_OK. I think that is the real problem, but I can't imagine how much other code might depend on that currently. So this may be the simplest thing to do for now. mrbkap, what do you think?
Attachment #352020 -
Flags: superreview?(mrbkap)
Attachment #352020 -
Flags: review?(mrbkap)
|
||
Comment 3•16 years ago
|
||
Comment on attachment 352020 [details] [diff] [review]
Patch, v1
I'd rather not do this if possible. Calling into the parser when no sink is null is a dangerous proposition at best. Can we, instead detect that the sink became null after the call to parse (assert that this is the XML mode) and bail early if so?
|
||
Updated•16 years ago
|
Flags: blocking1.9.1? → blocking1.9.1+
|
|
Assignee | |
Comment 4•16 years ago
|
||
Attachment #352020 -
Attachment is obsolete: true
Attachment #353134 -
Flags: superreview?(mrbkap)
Attachment #353134 -
Flags: review?(mrbkap)
Attachment #352020 -
Flags: superreview?(mrbkap)
Attachment #352020 -
Flags: review?(mrbkap)
|
|
||
Updated•16 years ago
|
Attachment #353134 -
Flags: superreview?(mrbkap)
Attachment #353134 -
Flags: superreview+
Attachment #353134 -
Flags: review?(mrbkap)
Attachment #353134 -
Flags: review+
|
|
||
Comment 5•16 years ago
|
||
Comment on attachment 353134 [details] [diff] [review]
Patch, v1.1
Yeah, let's try this.
|
|
Assignee | |
Comment 6•16 years ago
|
||
Pushed changeset 324151b8a4b9 to mozilla-central.
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 7•16 years ago
|
||
Pushed changeset 445c44c3c804 to mozilla-1.9.1
Keywords: fixed1.9.1
|
Reporter | |
Updated•16 years ago
|
Flags: in-testsuite+
|
||
Comment 8•16 years ago
|
||
Verified on trunk and 1.9.1 with:
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2a1pre) Gecko/20090131 Minefield/3.2a1pre ID:20090131034630
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090201 Minefield/3.2a1pre ID:20090201020604
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b3pre) Gecko/20090201 Shiretoko/3.1b3pre ID:20090201033606
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20090201 Shiretoko/3.1b3pre Ubiquity/0.1.5 ID:20090201020520
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1 → verified1.9.1
OS: Mac OS X → All
Hardware: x86 → All
Target Milestone: --- → mozilla1.9.2a1
|
||
Comment 9•16 years ago
|
||
1.9.0 !exploitable report:
PROBABLY_EXPLOITABLE: Probably Exploitable - Data from Faulting Address controls Code Flow starting at gkparser!nsParser::ParseFragment
Flags: blocking1.9.0.11?
|
|
||
Comment 10•16 years ago
|
||
(responding as "private" since comment 9 is private).
This isn't exploitable -- we're calling a virtual function through a guaranteed null pointer. This is a false positive like the one that dveditz pointed out on the s-g list.
|
||
Comment 11•16 years ago
|
||
We've taken bug 460437 in the 1.9.0.11 release, we should probably take this regression fix before we ship a release with the problem.
Flags: wanted1.9.0.x+
Whiteboard: [sg:dos] null deref
|
|
||
Updated•16 years ago
|
Keywords: regression
|
|
||
Updated•16 years ago
|
Flags: blocking1.9.0.11? → blocking1.9.0.11+
|
|
Assignee | |
Comment 12•16 years ago
|
||
Attachment #376091 -
Flags: approval1.9.0.11?
|
||
Comment 13•16 years ago
|
||
Comment on attachment 376091 [details] [diff] [review]
Patch for 1.9.0 branch
Approved for 1.9.0.11. a=ss for release-drivers
Attachment #376091 -
Flags: approval1.9.0.11? → approval1.9.0.11+
|
|
Assignee | |
Comment 14•16 years ago
|
||
Pushed rev 3.412 of nsParser.cpp to cvs.
|
|
Assignee | |
Updated•16 years ago
|
Keywords: fixed1.9.0.11
|
||
Comment 15•16 years ago
|
||
Verified for 1.9.0.11 with my debug build: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.11pre) Gecko/2009051111 GranParadiso/3.0.11pre. No crash.
Keywords: fixed1.9.0.11 → verified1.9.0.11
|
||
Updated•14 years ago
|
Crash Signature: [@ nsParser::ParseFragment]
You need to log in
before you can comment on or make changes to this bug.
Description
•